Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[TIP] radvd on a hardened system
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
MagicTom
n00b
n00b


Joined: 23 Oct 2003
Posts: 60
Location: Nancy, France

PostPosted: Thu Apr 20, 2006 8:04 pm    Post subject: [TIP] radvd on a hardened system Reply with quote

Hello,

I recently encountered an annoying problem trying to configure IPv6 on my network: /etc/init.d/radvd start failed because of a segmentation fault.

Here is what I got in /var/log/messages:
Code:
Apr 20 20:11:20 localhost radvd[18883]: version 0.9.1 started
Apr 20 20:11:20 localhost radvd[18883]: can't open /proc/net/if_inet6: Permission denied
Apr 20 20:11:20 localhost grsec: From 192.168.0.21: signal 11 sent to /usr/sbin/radvd[radvd:18883] uid/euid:102/102 gid/egid:408/408, parent /sbin/runscript.sh[runscript.sh:26376] uid/euid:0/0 gid/egid:0/0
Apr 20 20:11:36 localhost rc-scripts: status:  stopped


Oops, a permission problem with /proc/net/if_inet6...
Code:
localhost ~ # ls -l /proc/ | grep net
dr-xr-x---  7 root   1001         0 avr 20 21:48 net/

Hey, user radvd can't read /proc/net! And obviously I don't want to run radvd as root...

The reason is that grsecurity causes /proc restrictions when its security level is set to Medium or higher. (Have a look at your kernel configuration (Security options --> Grsecurity --> Filesystem Protections) for more details). However /proc is readable for GID 1001. So, let's create a group with GID 1001 and add user radvd to this group!

Code:
localhost ~ # groupadd -g 1001 grsec
localhost ~ # usermod -G radvd,grsec radvd
localhost ~ # ls -l /proc/ | grep net
dr-xr-x---  7 root   grsec         0 avr 20 21:58 net/
localhost ~ # /etc/init.d/radvd start
 * Enabling IPv6 forwarding ...                                     [ ok ]
 * Starting IPv6 Router Advertisement Daemon ...                    [ ok ]
localhost ~ #


Now it works perfectly :)

It took me half an hour to solve this problem, there was a post about this problem on the grsec forum but the only solution I could find there was to run radvd as root... I hope this will help other people in the future ;)
_________________
There's no place like ::1
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6336
Location: Blighty

PostPosted: Wed Jul 19, 2006 1:13 pm    Post subject: Reply with quote

Thanks for finding this out

I've added a note about this to the ebuild
_________________
When baselayout tells you to update config files or things break WE REALLY DO MEAN IT

Please add SOLVED to the thread title if your issue has been
Strip comments from configs please
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum